Discussion:
libXcursor + -finline-functions: Invalid read of size 4
William Brana
2014-08-08 11:15:54 UTC
Permalink
Hello,
I'm getting warnings like following from valgrind when libXcursor is
compiled with -O2 -finline-functions and gcc 4.8.3 or 4.7.4, but not
with -O2.
Is it miscompiled or false positive?

Invalid read of size 4
at 0x8928F8F: XcursorScanTheme.part.0 (in /usr/lib64/libXcursor.so.1.0.2)
by 0x892977C: XcursorLibraryLoadImages (in /usr/lib64/libXcursor.so.1.0.2)
by 0x89298F0: XcursorLibraryLoadCursor (in /usr/lib64/libXcursor.so.1.0.2)
by 0x50A4EFF: QCursorData::update() (in /usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50A5676: QCursor::handle() const (in /usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50B38C0: qt_x11_enforce_cursor(QWidget*) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50B9507: QWidgetPrivate::create_sys(unsigned long, bool, bool)
(in /usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x505D607: QWidget::create(unsigned long, bool, bool) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50A0952: setupOwner() (in /usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50A0C89: QClipboard::QClipboard(QObject*) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x5000373: QApplication::clipboard() (in /usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x52B97B4: QTextControl::canPaste() const (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
Address 0xc6ba8e0 is 16 bytes inside a block of size 19 alloc'd
at 0x4C2984F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x8928D7A: XcursorScanTheme.part.0 (in /usr/lib64/libXcursor.so.1.0.2)
by 0x892977C: XcursorLibraryLoadImages (in /usr/lib64/libXcursor.so.1.0.2)
by 0x89298F0: XcursorLibraryLoadCursor (in /usr/lib64/libXcursor.so.1.0.2)
by 0x50A4EFF: QCursorData::update() (in /usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50A5676: QCursor::handle() const (in /usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50B38C0: qt_x11_enforce_cursor(QWidget*) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50B9507: QWidgetPrivate::create_sys(unsigned long, bool, bool)
(in /usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x505D607: QWidget::create(unsigned long, bool, bool) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50A0952: setupOwner() (in /usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x50A0C89: QClipboard::QClipboard(QObject*) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
by 0x5000373: QApplication::clipboard() (in /usr/lib64/qt4/libQtGui.so.4.8.5)
Florian Weimer
2014-08-11 08:43:27 UTC
Permalink
Post by William Brana
Hello,
I'm getting warnings like following from valgrind when libXcursor is
compiled with -O2 -finline-functions and gcc 4.8.3 or 4.7.4, but not
with -O2.
Is it miscompiled or false positive?
Can you run valgrind with debugging information? It might us tell us at
least which allocation is too short.

It could be a harmless over-read from the libc string functions
(particularly if valgrind has not been set up correctly on your system).
--
Florian Weimer / Red Hat Product Security
William Brana
2014-08-12 14:57:25 UTC
Permalink
Post by Florian Weimer
Post by William Brana
Hello,
I'm getting warnings like following from valgrind when libXcursor is
compiled with -O2 -finline-functions and gcc 4.8.3 or 4.7.4, but not
with -O2.
Is it miscompiled or false positive?
Can you run valgrind with debugging information? It might us tell us at
least which allocation is too short.
It could be a harmless over-read from the libc string functions
(particularly if valgrind has not been set up correctly on your system).
--
Florian Weimer / Red Hat Product Security
gcc 4.8, libXcursor 1.1.14
From Qt application:

==43000== Invalid read of size 4
==43000== at 0x89019F3: XcursorScanTheme.part.0 (library.c:137)
==43000== by 0x8901E96: XcursorLibraryLoadImages (library.c:315)
==43000== by 0x8901F41: XcursorLibraryLoadCursor (library.c:322)
==43000== by 0x50A2A3F: QCursorData::update() (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x50A31B6: QCursor::handle() const (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x50B1300: qt_x11_enforce_cursor(QWidget*) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x50B6EC7: QWidgetPrivate::create_sys(unsigned long,
bool, bool) (in /usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x505BC97: QWidget::create(unsigned long, bool, bool)
(in /usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x509E3E2: setupOwner() (in /usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x509E719: QClipboard::QClipboard(QObject*) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x4FFFA93: QApplication::clipboard() (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x52ADF24: QTextControl::canPaste() const (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== Address 0xd4d6ed0 is 32 bytes inside a block of size 35 alloc'd
==43000== at 0x4C2984F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==43000== by 0x8901492: XcursorScanTheme.part.0 (library.c:117)
==43000== by 0x8901E96: XcursorLibraryLoadImages (library.c:315)
==43000== by 0x8901F41: XcursorLibraryLoadCursor (library.c:322)
==43000== by 0x50A2A3F: QCursorData::update() (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x50A31B6: QCursor::handle() const (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x50B1300: qt_x11_enforce_cursor(QWidget*) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x50B6EC7: QWidgetPrivate::create_sys(unsigned long,
bool, bool) (in /usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x505BC97: QWidget::create(unsigned long, bool, bool)
(in /usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x509E3E2: setupOwner() (in /usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x509E719: QClipboard::QClipboard(QObject*) (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==43000== by 0x4FFFA93: QApplication::clipboard() (in
/usr/lib64/qt4/libQtGui.so.4.8.5)
==42827== 6 errors in context 1 of 4:
==42827== Invalid read of size 4
==42827== at 0x88D29F3: XcursorScanTheme.part.0 (library.c:137)
==42827== by 0x88D2E96: XcursorLibraryLoadImages (library.c:315)
==42827== by 0x88D328B: XcursorTryShapeCursor (xlib.c:105)
==42827== by 0x6CBD56E: XCreateGlyphCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x6CBDB2C: XCreateFontCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x581CD54: gdk_cursor_new_for_display (in
/usr/lib64/libgdk-x11-2.0.so.0.2400.24)
==42827== by 0x4F2866E: gtk_entry_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5075629: gtk_spin_button_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5F2144E: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F38310: signal_emit_unlocked_R (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3E931: g_signal_emit_valist (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3EBEA: g_signal_emit (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== Address 0xb8afca0 is 32 bytes inside a block of size 35 alloc'd
==42827== at 0x4C2984F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==42827== by 0x88D2492: XcursorScanTheme.part.0 (library.c:117)
==42827== by 0x88D2E96: XcursorLibraryLoadImages (library.c:315)
==42827== by 0x88D328B: XcursorTryShapeCursor (xlib.c:105)
==42827== by 0x6CBD56E: XCreateGlyphCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x6CBDB2C: XCreateFontCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x581CD54: gdk_cursor_new_for_display (in
/usr/lib64/libgdk-x11-2.0.so.0.2400.24)
==42827== by 0x4F2866E: gtk_entry_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5075629: gtk_spin_button_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5F2144E: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F38310: signal_emit_unlocked_R (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3E931: g_signal_emit_valist (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827==
==42827==
==42827== 6 errors in context 2 of 4:
==42827== Invalid read of size 4
==42827== at 0x88D269F: XcursorScanTheme.part.0 (library.c:137)
==42827== by 0x88D2E96: XcursorLibraryLoadImages (library.c:315)
==42827== by 0x88D328B: XcursorTryShapeCursor (xlib.c:105)
==42827== by 0x6CBD56E: XCreateGlyphCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x6CBDB2C: XCreateFontCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x581CD54: gdk_cursor_new_for_display (in
/usr/lib64/libgdk-x11-2.0.so.0.2400.24)
==42827== by 0x4F2866E: gtk_entry_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5075629: gtk_spin_button_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5F2144E: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F38310: signal_emit_unlocked_R (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3E931: g_signal_emit_valist (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3EBEA: g_signal_emit (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== Address 0xb8afca0 is 32 bytes inside a block of size 35 alloc'd
==42827== at 0x4C2984F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==42827== by 0x88D2492: XcursorScanTheme.part.0 (library.c:117)
==42827== by 0x88D2E96: XcursorLibraryLoadImages (library.c:315)
==42827== by 0x88D328B: XcursorTryShapeCursor (xlib.c:105)
==42827== by 0x6CBD56E: XCreateGlyphCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x6CBDB2C: XCreateFontCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x581CD54: gdk_cursor_new_for_display (in
/usr/lib64/libgdk-x11-2.0.so.0.2400.24)
==42827== by 0x4F2866E: gtk_entry_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5075629: gtk_spin_button_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5F2144E: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F38310: signal_emit_unlocked_R (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3E931: g_signal_emit_valist (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827==
==42827==
==42827== 6 errors in context 3 of 4:
==42827== Invalid read of size 4
==42827== at 0x88D29DC: XcursorScanTheme.part.0 (library.c:137)
==42827== by 0x88D2E21: XcursorLibraryLoadImages (library.c:229)
==42827== by 0x88D328B: XcursorTryShapeCursor (xlib.c:105)
==42827== by 0x6CBD56E: XCreateGlyphCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x6CBDB2C: XCreateFontCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x581CD54: gdk_cursor_new_for_display (in
/usr/lib64/libgdk-x11-2.0.so.0.2400.24)
==42827== by 0x4F2866E: gtk_entry_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5075629: gtk_spin_button_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5F2144E: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F38310: signal_emit_unlocked_R (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3E931: g_signal_emit_valist (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3EBEA: g_signal_emit (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== Address 0xb8aa4f4 is 20 bytes inside a block of size 23 alloc'd
==42827== at 0x4C2984F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==42827== by 0x88D2492: XcursorScanTheme.part.0 (library.c:117)
==42827== by 0x88D2E21: XcursorLibraryLoadImages (library.c:229)
==42827== by 0x88D328B: XcursorTryShapeCursor (xlib.c:105)
==42827== by 0x6CBD56E: XCreateGlyphCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x6CBDB2C: XCreateFontCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x581CD54: gdk_cursor_new_for_display (in
/usr/lib64/libgdk-x11-2.0.so.0.2400.24)
==42827== by 0x4F2866E: gtk_entry_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5075629: gtk_spin_button_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5F2144E: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F38310: signal_emit_unlocked_R (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3E931: g_signal_emit_valist (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827==
==42827==
==42827== 6 errors in context 4 of 4:
==42827== Invalid read of size 4
==42827== at 0x88D268A: XcursorScanTheme.part.0 (library.c:137)
==42827== by 0x88D2E21: XcursorLibraryLoadImages (library.c:229)
==42827== by 0x88D328B: XcursorTryShapeCursor (xlib.c:105)
==42827== by 0x6CBD56E: XCreateGlyphCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x6CBDB2C: XCreateFontCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x581CD54: gdk_cursor_new_for_display (in
/usr/lib64/libgdk-x11-2.0.so.0.2400.24)
==42827== by 0x4F2866E: gtk_entry_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5075629: gtk_spin_button_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5F2144E: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F38310: signal_emit_unlocked_R (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3E931: g_signal_emit_valist (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3EBEA: g_signal_emit (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== Address 0xb8aa4f4 is 20 bytes inside a block of size 23 alloc'd
==42827== at 0x4C2984F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==42827== by 0x88D2492: XcursorScanTheme.part.0 (library.c:117)
==42827== by 0x88D2E21: XcursorLibraryLoadImages (library.c:229)
==42827== by 0x88D328B: XcursorTryShapeCursor (xlib.c:105)
==42827== by 0x6CBD56E: XCreateGlyphCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x6CBDB2C: XCreateFontCursor (in /usr/lib64/libX11.so.6.3.0)
==42827== by 0x581CD54: gdk_cursor_new_for_display (in
/usr/lib64/libgdk-x11-2.0.so.0.2400.24)
==42827== by 0x4F2866E: gtk_entry_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5075629: gtk_spin_button_realize (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.24)
==42827== by 0x5F2144E: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F38310: signal_emit_unlocked_R (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
==42827== by 0x5F3E931: g_signal_emit_valist (in
/usr/lib64/libgobject-2.0.so.0.4000.0)
Florian Weimer
2014-08-12 15:17:37 UTC
Permalink
Post by William Brana
Post by Florian Weimer
Can you run valgrind with debugging information? It might us tell us at
least which allocation is too short.
It could be a harmless over-read from the libc string functions
(particularly if valgrind has not been set up correctly on your system).
==43000== at 0x89019F3: XcursorScanTheme.part.0 (library.c:137)
From library.c:

137 full = malloc (strlen (dir) + 1 + strlen (subdir) + 1 +
strlen (file) + 1);

So this looks indeed like a strlen implementation (possibly inlined)
which is not properly instrumented.
--
Florian Weimer / Red Hat Product Security
Loading...